[OpenID] My answers to the nominee questions

Sun Dec 14 06:35:52 UTC 2008

On Sat, Dec 13, 2008 at 5:33 AM, Peter Williams <pwilliams at rapattoni.com> wrote:
> Say more!  given the OP is the deliverer of "the data".
>
>
>
> Why not use the AX extension for these querying functions, given the openid
> association (over which an OP knows it itself has recently sent an
> assertion) is essentially a persistent authorization ticket?
>
>
>
> Do we need to reopen the backchannel flow of openid messaging to deliver AX
> (and the other openid extensions being normalized)?
>
>
>
> Was the openid2 backchannel flow closed, to facilitate OAUTH getting its
> spot in the stack (under some Identerati deal)? Should we reopen it?
>
>
>
> Architecturally, it seems silly to do adopt OAUTH, if openid would do the
> same job using a mere extension.

OpenID only authenticates the OP, not the RP. The association provides
only a mechanism for the OP to sign statements that the RP can
validate. Nothing that the RP can say to the OP will be bound to
anything like a realm and is meaningless. Therefore the OP cannot
securely grant RP long-term access to user's data at the OP, even with
user's consent.

OAuth on the other hand, only authenticates the consumer, but not
service provider. So OpenID + OAuth, where OAuth consumer = RP and
OAuth SP = OP achieves: (1) authentication user + OP -> RP and (2)
authorization RP -> user data at OP.

OpenID could have designed a key agreement scheme in the association
request to involve a full handshake and output a 2-way authenticated
HMAC Key. Then it would be able to support authorization requests.
However, simply opening the back-end channel and expecting the OP to
send user's data to an unknown site is a non-starter.

>
>
>
> (Im pretty ignorant on the topic of OAUTH, but open minded.)
>
>
>
> I keep waiting for the RDF crowd to define an openid extension that is
> a(nother) binding for SPARQL queries, leveraging the authorization functions
> of the openid association keys and assoc-identifiers to do I&A and machine
> authz – much as folks use SSL session-keys and session-identifiers.
>
>
>
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Allen Tom
> Sent: Friday, December 12, 2008 6:48 PM
> To: SitG Admin; general at openid.net
> Subject: Re: [OpenID] My answers to the nominee questions
>
>
>
> SitG Admin wrote:
>
>
>
> It would be nice if RP's had a "I'll scratch your back if you'll scratch
> mine." system by which they could send short messages to one another's
> networks - for instance, Monster.com would say "Hey Yahoo, please notify all
> the Friends of this user on your network, blah blah blah." and Yahoo could
> do so.
>
> Yahoo has an OAuth protected API that allows a Yahoo user to authorize an RP
> to write to the user's Activity Stream using the Yahoo! Updates API. The
> user's connections would be able to see the message in their Updates feed.
> This is very similar in concept to the News Feed on other sites.
>
> It would be really nice if a user could sign into an RP using OpenID, and
> simultaneously authorize that site to access their data on Yahoo using
> OAuth. Expect to hear more about this soon.
>
> More info about the Yahoo! Updates API is here:
> http://developer.yahoo.com/social/updates/
>
> Allen
>
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>

-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)